2014-08-25 - SWEET ORANGE EK 95.163.121.188 - CDN.SWEETIP.NET:16122 - CDN5.TEQUILACRITICO.ES:16122

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FAILED ATTEMPT 1 - SWEET ORANGE EK SENDS FLASH EXPLOIT, BUT NO INFECTION:

FAILED ATTEMPT 2 - SWEET ORANGE EK CALLS FOR JAVA EXPLOIT, BUT RETURNS 404 NOT FOUND:

FAILED ATTEMPT 3 - SWEET ORANGE EK LANDING PAGE, BUT NO INFECTION:

SUCCESSFUL ATTEMPT 1 - SWEET ORANGE EK INFECTS VM USING CVE-2013-2551 MSIE EXPLOIT:

SUCCESSFUL ATTEMPT 2 - SWEET ORANGE EK INFECTS VM USING FLASH EXPLOIT:

SUCCESSFUL ATTEMPT 3 - SWEET ORANGE EK INFECTS VM USING CVE-2013-2551 MSIE EXPLOIT:

SUCCESSFUL ATTEMPT 4 - SWEET ORANGE EK INFECTS VM USING FLASH EXPLOIT:

SUCCESSFUL ATTEMPT 5 - SWEET ORANGE EK INFECTS VM USING JAVA EXPLOITS (2 DIFFERENT JAVA EXPLOITS, 2 OF THE SAME PAYLOAD):

NOTE:   [!] notes where the malware payload was delivered.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT (CVE-2014-0515):

File name:  2014-08-25-Sweet-Orange-EK-flash-exploit.swf
File size:  5.0 KB ( 5089 bytes )
MD5 hash:  d2caccaace2a0ff5c304f2232f2cc7d8
Detection ratio:  1 / 55
First submission:  2014-08-25 18:42:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/871574e8baf2aa1069b735326da78bd00bf610f0aa44f13c05b576e7d4ae5604/analysis/

 

JAVA EXPLOIT 1 OF 2:

File name:  2014-08-25-Sweet-Orange-EK-java-exploit-1-of-2.jar
File size:  41.4 KB ( 42413 bytes )
MD5 hash:  24cc85f8885c054ecf2ff0d283898beb
Detection ratio:  2 / 54
First submission:  2014-08-25 18:42:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ac1e0fa0ad3569e73ebd03338cd36ab951eb9cf04003a63ab450c53020d59a15/analysis/

 

JAVA EXPLOIT 2 OF 2:

File name:  2014-08-25-Sweet-Orange-EK-java-exploit-2-of-2.jar
File size:  40.1 KB ( 41044 bytes )
MD5 hash:  74c9860b11fa9ef00c0fe6576cff51bb
Detection ratio:  2 / 55
First submission:  2014-08-25 18:42:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c3ec6466a3f19410f2167dbdf6c211ed92ecb1847120d46e3d951bfc4142b492/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-25-Sweet-Orange-EK-malware-payload.exe
File size:  288.0 KB ( 294912 bytes )
MD5 hash:  4f924c2514b48bd4e50b87146fd3b7cf
Detection ratio:  5 / 55
First submission:  2014-08-25 15:36:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9c2ffb4feeccb57a27f85558043f22a8618e3916eb6b5c3f60f3443610881148/analysis/

 

SNORT EVENTS

Applicable signatures from the Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Reading the pcap using Snort 2.9.6.0 and the Sourcefire VRT ruleset on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded code in javascript file from compromised website:

 

Redirect pointing to Sweet Orange EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.